Re: [squid-users] non-transparent squid and port 8080 traffic

Asim Ahmed @ Folio3 wrote:
> Chris Robertson wrote:
>> Asim Ahmed @ Folio3 wrote:
>>> hi all,
>>>
>>> I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a
>>> RHEL5 box. I had a few problems running squid in transparent mode so
>>> now I am running it in non-transparent mode.
>>
>> Please use the term "interception" instead of "transparent".
>>
>>> Every thing like browsing / IM tools working fine. A major problem
>>> that I am facing is that quite a few users in my staff uses TFS
>>> (Team Foundation Server - A code repository running on port 8080)
>>> remotely. After installing squid they are hving great difficulty
>>> connecting to that server. I am REDIRECTING port 80 traffic from
>>> shorewall to squid on the same box.
>>
>> Which indicates you are still INTERCEPTING traffic.
> /_*not any more, I've setup client browsers with IPs & ports*_/
>>
>>> I tried same approach and REDIRECTED port 8080 traffic to squid as
>>> well and made an ACL in squid.conf to allow that particular traffic
>>> to that particular server address over port 8080.
>>
>> Why wouldn't it be allowed? Port 8080 is included in "Safe_ports".
>> Assuming you are allowing access to your cache based on source IP,
>> you shouldn't need a special rule allowing traffic to a particular
>> server's port 8080.
> But why is failing the requests by 401 error. /_*The remote server
> reuqests username/password even then request fails*_/
>>
>>> When I see squid access log, traffic shows up there but with HTTP
>>> 401 code that means not-authorized request. On TFS screen users also
>>> get "you are not authorized to connect to this server" error. This
>>> does not make any sense because without squid they jsut connect in
>>> first attempt.
>>
>> Please share your squid.conf (minus comments and blank lines).
>> Otherwise have a look at
>> http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F
>>

I'd try allowing access to the TFS before you check for MimeTypes and
keywords.

> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl folio3Network src 192.168.4.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl super_users src "/etc/squid/f3_acls/super_users.acl"
> acl gerrys_users src "/etc/squid/f3_acls/gerrys_groups.acl"
> acl netsat_users src "/etc/squid/f3_acls/netsat_groups.acl"
> acl managers src "/etc/squid/f3_acls/managers.acl"
> acl facebook dstdomain "/etc/squid/f3_acls/facebook.acl"
> acl facebook_users src "/etc/squid/f3_acls/facebook_users.acl"
> acl blocked_sites dstdomain "/etc/squid/f3_acls/blocked_sites.acl"
> acl blocked_request_mt req_mime_type -i
> "/etc/squid/f3_acls/blocked_mimetypes.acl"
> acl blocked_reply_mt rep_mime_type -i
> "/etc/squid/f3_acls/blocked_mimetypes.acl"
> acl blocked_keywords url_regex -i
> "/etc/squid/f3_acls/blocked_keywords.acl"
> acl gaming_sites dstdomain "/etc/squid/f3_acls/gaming_sites.acl"
> acl server_machines src "/etc/squid/f3_acls/server_machines.acl"

acl TFS dst <ip.of.tfs.machine>

> acl working_hours time MTWHF 09:00-13:00
> acl working_hours time MTWHF 14:00-18:30
> acl gaming_hours time MTWHF 21:00-23:59
> acl gaming_hours time MTWHF 01:00-07:00
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow super_users
> http_access allow facebook_users facebook

http_access allow TFS

> http_access deny working_hours blocked_sites
> http_access deny working_hours blocked_request_mt
> http_access deny working_hours blocked_keywords
> http_access deny !gaming_hours gaming_sites
> http_access allow managers
> http_access allow gerrys_users
> http_access allow netsat_users
> http_access allow server_machines
> http_access allow localhost
> http_access deny all
> http_reply_access allow super_users
> http_reply_access deny working_hours blocked_reply_mt
> icp_access allow folio3Network
> icp_access deny all
> htcp_access allow folio3Network
> htcp_access deny all
> http_port 4044
> hierarchy_stoplist cgi-bin ?
> cache_dir aufs /var/spool/squid 10240 16 256
> access_log /var/log/squid/access.log squid
> cache_store_log none
> logfile_rotate 10
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> negative_ttl 0 seconds
> visible_hostname LIANA
> icp_port 3130
> coredump_dir /var/spool/squid
>>
>>>
>>> Even I tried adding a rule in shorewall to process 8080 traffic
>>> before I redirect traffic to squid, but that makes things unreliable
>>> in the sense that some times it work, and at times it does not!
>>> Can any one help suggesting any measures to get over with this?
>>>
>>> Is this squid's normal behaviour to stop shorewall from normal
>>> working when installed?
>>
>> No.
>>
>>> Does squid takes over control of system ports in use by shorewall?
>>
>> Only if you configure it to.
>>
>>
>> Chris

Chris
Received on Mon Dec 14 2009 - 21:02:31 MST